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Abstract. Partial mutual exclusion is the drinking philosophers problem 
for complete graphs. It is the problem that a process may enter a critical 
section CS of its code only when some finite set nbh of other processes are not 
in their critical sections. For each execution of CS, the set nbh can be given 
by the environment. We present a starvation free solution of this problem 
in a setting with infinitely many processes, each with finite memory, that 

Q communicate by asynchronous messages. The solution has the property of 
, first-come first-served, in so far as this can be guaranteed by asynchronous 

' messages. For every execution of CS and every process in nbh, between three 

and six messages are needed. The correctness of the solution is argued with 
' ' . invariants and temporal logic. It has been verified with the proof assistant 

<J ■ PVS. 

q 

^ ' Key words: Drinking philosophers; distributed algorithms; starvation freedom; ver- 

ification; fairness 
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! 1 Introduction 

, Partial mutual exclusion is a problem that goes back to Dijkstra's dining philoso- 

l/^ ' phers 5j and the drinking philosophers of Chandi and Misra [3]. It is the problem 

that a process may enter a critical section of its code only when some specified finite 
set nbh of other processes (neighbours) are not in their critical sections. In the case 
of the dining philosophers, the philosophers form a ring and nbh consists of the two 
neighbour philosophers. 

The drinking philosophers form an arbitrary finite undirected graph, say with 
i^j ■ Nbh.p as set of neighbours of philosopher p. The set nbh.p is then a modifiable 

r\ , subset of Nbh.p, but the algorithm has a message complexity proportional to the 

' sizes of Nbh.p, and these can be considerably larger than nbh.p. 

Investigations into dining or drinking philosophers have always been motivated 
by the desire for a clean abstraction of the problems of resource allocation. 

Inspired by the emergence of the internet, we generalize the setting to potentially 
infinitely many processes and to arbitrary finite sets nbh that can change over time. 
More precisely, when the environment prompts a process, say p, to enter its critical 
section CS, it gives p nondeterministically a finite set nbh.p of other processes (to 
be called neighbours) . After executing CS, process p resets nbh.p to the empty set 
when it becomes idle again. 

Partial mutual exclusion is the requirement that when two processes, say q and r, 
are both in each other's neighbourhoods, they are not both in their critical sections: 



PMX: r G nbh.q A g £ nbh.r A q in CS A r in CS false . 

We do not require that r G nbh.q be equivalent to q d nbh.r, because this would 
restrict the environment and the processes considerably. When q and r are both in 
each other's neighbourhoods, we speak of a conflict between q and r. For compari- 
son, mutual exclusion itself would be the requirement: 



g in CS A r in CS ^ q = r 
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We assume that the processes have private memory and communicate by asyn- 
chronous messages. Messages are rehable: they are not lost or duphcated. They can 
pass each other, however. The processes receive and answer messages even when 
they are idle. 

We impose a first-come first-served order (FCFS) in the following way. Whenever 
a process starts the entry protocol, it notifies all its neighbours. If the notification 
of process q reaches r before process r starts its entry protocol, and if the entry of r 
is in conflict with q, then process q reaches CS before process r does. The classsical 
definition of FCFS in TIT only applies to shared memory systems and total mutual 
exclusion. The above definition of FCFS seems to be the natural translation for 
partial mutual exclusion with message passing. 

As a process may have to wait a long time before it can enter the critical section, 
it is important that the environment of any process p is allowed nondeterministically 
to abort the entry protocol of p and move it back to the idle state. 

There are two progress requirements: starvation freedom and maximal concur- 
rency. Starvation freedom ([6], also called lockout freedom |13) ) means that, for 
every p, whenever process p needs to enter CS, it will eventually do so if it is not 
aborted. 

Starvation freedom can only hold under the assumption of weak fairness for all 
processes. Weak fairness for process p means that if, from some time onward, process 
p is continuously enabled to do a certain step different from entering or aborting, 
it will do the step. We elaborate on the concept of weak fairness in Section [H 

The second progress requirement is maximal concurrency, introduced in [T5] . 
Maximal concurrency means that in any case (i.e. without weak fairness) a process 
can make progress when it has no conflicts with other processes. More precisely, 
every process p that needs to enter CS and does not abort, will eventually enter 
CS, provided it satisfies weak fairness itself, all other processes receive and answer 
messages from p, and no process comes in an eternal conflict with p. The point here 
is that processes without conflicts with p need not be weakly fair; e.g., they are 
allowed to remain in CS forever. 

1.1 Sketch of a solution 

The main reason for waiting is formed by conflicts: q e nbh.r and r G nbh.q. The 
conflict relation determines an undirected graph. The performance of any solution 
depends on the sizes and the shapes of the connected components of this graph. 
Conversely, however, the evolution of this graph depends on the performance. The 
sooner a process reaches CS, the sooner its set nbh is made empty again. This 
justifles the search for a simple solution with as few messages as possible. 

The flrst step of the solution was explicitly writing down what FCFS would mean 
for partial mutual exclusion in a message passing system. This led us to a solution 
with two layers: an outer protocol to guarantee FCFS, and an inner protocol to 
guarantee partial mutual exclusion. This is the same global design as used in the 
shared- variable mutual exclusion algorithm of [T2] . 

The outer protocol requires 3 messages for every element of nbh. The inner 
protocol is asymmetric. We represent the processes by natural numbers. If q and r 
are processes with q < r, we speak of q as the lower process and r as the higher 
process. The inner protocol for process p requires 3 messages for every higher process 
in nbh.p, and no messages for the lower processes in nbh.p. 

1.2 Restrictions 

Although we allow infinitely many processes, we restrict the number of messages 
and the memory requirements of the processes in realistic ways. 



whh464 - 3 



For the correctness of the algorithm, the time needed for message transfer can 
be unbounded. For other issues, however, it is convenient to postulate an upper 
bound A for the time needed to execute an atomic command plus the time needed 
for the messages sent in this command to be received. 

We define the extended neighbourhood of process p to be the union of nbh.p with 
its dual nbh'^ .p — {q \ p € nbh.q}. The kth delayed extended neighbourhood of p 
consists of the processes that were in p's extended neighbourhood not longer than 
a time kA ago. 

As there are many processes, we impose the communication restriction (CR) 
that every process only sends messages to the members of some delayed extended 
neighbourhood, and the memory restriction (MR) that every process only remem- 
bers relationships with members of some delayed extended neighbourhood. 

It is fairly easy to see that our solution has these properties, using the first 
delayed extended neighbourhood for (CR) and the second one for (MR). We do not 
verify it formally, because this is cumbersome and not illuminating. 

1.3 Overview and verification 

We briefly discuss related research in Section 11.41 In Section 11.51 we describe the 
modelling of the asynchronous messages. Section [5] describes the algorithm. In Sec- 
tion [3l we prove its safety properties mutual exclusion and deadlock freedom. In 
Section m we prove the liveness properties starvation freedom and maximal concur- 
rency. 

The proofs of the safety and liveness properties have been carried out with the 
interactive proof assistant PVS [T^. The descriptions of proofs closely follow our 
PVS proof scripts, which can be found on our web site [7] . It is our intention that the 
paper can be read independently, but the proofs require so many case distinctions 
that manual verification is problematic. Section [5] provides a brief sketch of how we 
use PVS. We conclude in Section [6l 

1.4 Related research 

We solve the drinking philosophers' problem for an infinite complete graph, as a 
clean idealization of the resource allocation problem. We do not intend to solve the 
general resource allocation problem itself, as formulated in |17|2|15j . 

In the drinking philosophers' problems of [El7 (also [13l Section 20]), the 
philosophers form a fixed finite undirected graph. Our set nbh.p is then a sub- 
set of the constant set Nbh.p of p's neighbours in the graph. This subset is chosen 
by the environment each time that the process gets thirsty. The message complexity 
of the solutions of these papers is proportional to the size of Nbh.p and not to the 
possibly considerably smaller size of nbh.p. These solutions are therefore problem- 
atic for large complete graphs. To enforce starvation freedom, these solutions assign 
directions to the edges of the graph such that the resulting digraph is acyclic. 

We are not aware of other solutions to the partial mutual exclusion problem as 
formulated here. 

The papers [17|15) offer a modular approach to the general resource allocation 
problem. This modular approach seems to correspond to the outer protocol in our 
solution, but in either case, the code is much more complicated than our outer 
protocol. The solution of [5] satisfies FCFS, but it is more complicated and needs 
much more messages than our solution. 

1.5 Messages and channels 

As announced, we assume that the processes communicate by asynchronous mes- 
sages. Messages are guaranteed to arrive and be received, but the delay is unknown. 
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and messages are allowed to pass each other, unlike in |2I13| where the messages in 
transit, say from g to r are treated first-in- first-out. 

Formally, we write m.q.r to denote the number of messages m sent by q to r. 
In particular, it is a natural number. Sending corresponds to the incrementation 
m.q.r++ . Receiving corresponds to decrementation m.q.i — and has the precondi- 
tion m.q.r > 0. In principle, m.q.r can be any natural number, but in our algorithm, 
we take care to preserve the invariants m.q.r < 1: there is always at most one mes- 
sage m in transit from q to r. Initially, no messages are in transit: m.q.r ~ for 
every message type m. 

In CSP [5], one would write m.q.rl for sending and m.q.rl for receiving, but 
messages in CSP are synchronous. In Promela, the language of the model checker 
Spin [5], one could model the messages by channels with buffer size 1. 

The view of the messages sent through channels must be taken with a grain 
of salt, because it stretches the imagination to declare for every process infinitely 
many channels. For implementation purposes, we prefer to regard a message m sent 
by (7 to r as a tuple {m,q.,r). Every process searches the tuple space continuously 
or repeatedly for messages with itself as destination. 

2 The Algorithm 

The code for each process is decomposed as a parallel composition of three compo- 
nent processes: an environment, a forward stepping component, and a component 
that receives the messages: 

process(p) : 

environ(p) || forward(p) || (|| g : receive{q,p) ) . 

The component environ(p) implements the environment's decisions for p: to start 
the entry protocol when it is idle, or to abort the entry protocol if needful. In 
component forward (p), process p traverses the entry protocol towards CS, followed 
by the exit protocol back to the idle state. For every q, component receive(g,p) 
serves to receive and handle all messages from q to p. 

Each component of process p is an infinite loop, the body of which is a nonde- 
terministic choice between several guarded alternatives as in Unity The guard 
of an alternative is its enabling condition. In environ(p) and forward(p), this is 
primarily the value of the program counter pc of the process (called line number). In 
most cases of receive(g,p), the presence of a message is the guard for its reception, 
and the first action is the removal of the message. 

An important difference between forward(p) and receive{q,p) as opposed to 
environ(p), is that the alternatives of forward(p) and receive(q,p) are executed 
under weak fairness, i.e., if in some execution one of its alternatives is for some 
point onward continuously enabled this alternative will eventually be executed. On 
the other hand, the environment is never forced to act. We come back to this in 
Section m 

One can argue that the critical section CS should be executed by the environ- 
ment. We reckon it to forward instead, because the environment is allowed to do 
nothing, while CS needs to terminate. 

2.1 A layered solution 

If V is a private variable, outside the code, the value of v for process q is denoted 
by v.q. In the algorithm, every process has private variables nbii, prio, before, 
after, wack, away, need, prom, which all hold finite sets of processes, and which are 
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initially empty. Every process has a program counter pc : N, which is initially 11. 
The role of the ghost variable fork is explained in Section [^31 

We use five message types req, gra, notify, withdraw, and ack. As explained 
in Section 11.51 req.g.r stands for the number of req messages from q to r, and 
analogously for the other message types. 

The components of our solution are given in the Figures [l] [21 [3l We can regard 
the alternatives as atomic commands because actions on private variables give no 
interference, the messages are asynchronous, and any delay in sending a message 
can be regarded as a delay in message delivery. 

environ(p) : 

I pc = 11 — !> choose nbh with p ^ nhb ; pc := 12 . 
1 pc = 12 A p e AE nbh ■- ^ \ pc ;= 11 . 

1 pc = 13 A p e AE 

for q G nbh do withdraw.p.g++ od ; 

wack := nbh ; nbh := ; prio := ; pc := 11 . 
I pc = 14 A need n{(7ip<(7} = 0ApeAE -> 

for q £ nbh with p < q do 
gra.p.g++ ; fork.p.q — od ; 

for q G nbh do withdraw.p.g++ od ; 

wack :— nbh ; need :— ; nbh := ; pc := 11 . 

Fig. 1. The environment, to trigger and abort 

A process p is called idle when pep — 11. When p is idle, the environment may 
decide to trigger the process by giving it a finite set nbh.p with p ^ nbh.p, and 
setting pep := 12. See line 11 of environ. As nbh.p will only be modified again 
when process p becomes idle again, we postulate the invariant 

IqO: r £ nbh.q ^ q ^ r A q in {12 . . .} . 

For a process q and a line number i, we write q at ^ to express pe.q ^ £. li L is 
a set of line numbers, we write g in L to express peg 6 L. For all invariants, we 
implicitly universally quantify over the free variables, usually q and r. 

At line 12, the process starts the entry protocol in the component forward. 
When waiting at lines 12, 13, or 14 takes too long, the environment may be allowed 
to abort forward and to go back to the idle state. The fixed unspecified set AE 
(abort enabled) is introduced to make it impossible that the aborting steps of the 
environment are used to prove progress properties (by accident or design). 

As announced, the solution consists of two layers: an outer protocol for FCFS, 
and an inner protocol for mutual exclusion. The partition in layers is orthogonal to 
the partition in components. In forward(p), the outer protocol is visible in line 12, 
in the guard of line 13, and in the body of line 14. The inner protocol is visible in 
the body of line 13, in the guard of line 14, and in line 16 as a whole. 

2.2 The outer protocol for FCFS 

In order to guarantee FCFS, every process q maintains a set before.q of the processes 
that have sent notifications to q without withdrawing them. Indeed, when a process 
p has sent notifications, it needs to withdraw them when it enters CS, so that p 
does not force other processes needlessly to wait when it is in its exit protocol or 
idle again. 

Because the messages are asynchronous and not necessarily FIFO, the message 
withdraw can arrive earlier than notify. We therefore treat the messages notify 



6 



forward (p) : 

I jx; = 12 A wack = 

for q £ nbh do notif y.p.g++ od ; 

prio := nbh PI {before \ after) ; pc := 13 . 
1 pc = 13 A prio = 

for q G nbh with p < q do req.p.g++ od ; 

need := {q G nbh \ p < q V q € away} ; pc := 14 . 
I pc = 14 A need = ->• 

for q € nbh do withdraw.p.q'++ od ; 

wack := nbh ; pc := 15 . 
I pc = 15 ^ CS ; pc := 16 . 
1 pc = 16 

for q € nbh with p < g do gra.p.g++ ; fork.p.q — od ; 
nbh := ; pc := 11 . 

Fig. 2. The stepping component 

receive(g,p) : 

I notify. g.p > — > notify. g.p — ; add q to before . 
I withdraw. g.p > — >■ withdraw. g.p — ; 

remove q from prio ; add q to after . 
I q € after n before — >■ 

remove q from after and before ; ack.p.g++ . 
[ ack.g.p > ack.g.p — ; remove q from wacJc . 

I req.q.p > — >■ req.g.p — ; add q to prom . 
I gra.q.p > gra.q.p — ; fork.p.q++ ; 

remove q from away and need . 
1 q G prom \ away A ^ (pc > 15 A g G nbh) —¥ 

gra.p.g++ ; fork.p.q — ; 

add q to awaj ; remove g from prom ; 

if pc = 14 A g G nbh then add g to need endif . 

Fig. 3. The component of p receiving messages from g 

and withdraw symmetrically. Arrival of withdraw is registered in after. When both 
have arrived, the combination is answered by a message ack, to preclude interference 
when notify or withdraw would be delayed. Each process holds in wack the set 
of processes it is expecting aknowledgcmcnts from. See the first four alternatives of 
receive(g,p). Note that idle processes also accept messages. 

According to the definition of FCFS, when process p starts its entry protocol 
in forward(p), it sends messages notify to its neighbours, it forms a set prio.p as 
the intersection of nbh.p with the difference between before.p and after. p, and then 
waits for the set prio.p to become empty. 

When process p enters CS, it withdraws all its outstanding notifications by 
sending withdraw messages to its neighbours, because at that point it cannot be 
overtaken anymore. It also sets wack := nbh. When it arrives again at line 12, it 
waits for wack to be empty. In this way, it verifies that all its messages notify and 
withdraw have been acknowledged. 

The third alternative of receive is called after because the condition q G after. p 
is its usual trigger. This alternative can be eliminated by including it conditionally 
in both the first and the second alternative. We have not done so, because it would 
complicate the code. It may seem to be simpler to require separate acknowledge- 
ments for notify and withdraw. This, however, would require more messages and 
more waiting conditions. 
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In early drafts of the algorithm, we had located the waiting for the acks at line 
16, as in Szymanski's algorithm |16] . but we have rotated it to line 12 to avoid 
unnecessary waiting. 

The outer protocol thus uses the messages notify, withdraw, ack, and the 
private variables prio, before, after, and wack. 

2.3 The inner protocol 

The inner protocol serves to ensure partial mutual exclusion. It is inspired by the 
drinking philosophers of [3] but we do not insist on a symmetric solution. The 
idea is that the processes form a modifiable directed complete graph, which need 
not remain acyclic. For every edge, say between processes q and r, the direction is 
determined by a "fork" (or "bottle") that is held either by q or by r, or that is in 
transit between them. We use an integer variable fork.q.r (private to q) to count 
the number of forks to r that q holds. 

In accordance with '5'3J, we thus postulate the invariants 

Iql: q ^ r ^ fork.q.r + fork.r.q < 1 , 

Iq2: g in {15 . . .} A re nbh.q ^ fork.q.r > . 

As CS is in line 15, condition PMX is clearly implied by IqO, Iql, and Iq2. The 
values of fork.q.q arc irrelevant. 

The basic idea of the inner protocol is that when process p needs to enter CS, 
it sends request messages req to some neighbours q for which it misses the fork, 
i.e., with fork.p.q = 0. When it has all forks needed, it can enter CS. When process 
p receives a request for a fork that it does not need, it grants it by sending a gra 
message. 

At this point, we break the symmetry between processes, in two ways. Recall 
that we represent the processes by natural numbers, and that, li q < r, we say 
that process q is lower and that r is higher. We decide to give priority to the lower 
process. It follows that in the inner protocol, the lowest process waiting for forks 
can make progress. 

In view of the memory restriction (MR) of Section 11.21 wc cannot use the in- 
finite array fork.p as an actual private variable of p. We therefore treat fork as a 
ghost variable, which can be eliminated from the algorithm but only serves in its 
description and its proof. 

We eliminate the variable fori from the algorithm by introducing private vari- 
ables to express how fork.p differs from a default fork distribution to be introduced 
next. As the processes are represented by natural numbers, there are two natural 
candidates for a default fork distribution. Because the lower process has priority and 
must therefore request the fork whenever it needs it, we locate the fork by default 
at the higher process. The default fork distribution therefore has fork.q.r = \r < q\, 
where we use |&| = (6?1 : 0) for Boolean b. After every transaction this state of 
affairs is restored as much as possible. 

Remark. It is possible to choose the alternative default fork distribution with 
fork.q.r ~ \q < r\. We come back to this in SectionlHl □ 

The set of forks missing from the default distribution for process p is registered 
in the private variable away .p. We thus postulate the invariant: 

lq3: q £ away.r = (q < r A fork.r.q = 0) . 

Forks that are present despite the default fork distribution, are present because the 
process asked for them. They are recorded in the set difference nbh \ need. 

In view of the default fork distribution, a process p that needs forks in line 13 
sends requests req only to the higher neighbours q. If process q receives the request. 
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it puts p in its private variable prom.q (promise). When p 6 prom.q and q has the 
fork, and is not currently using it, process q sends the fork by a message gra, 
and updates its administration by adapting forJc and away. This last alternative 
of receive is called prom. It can be eliminated by including it conditionally in the 
alternatives req and gra, and in line 16. 

When process p receives a fork by a gra message, it accepts the fork and updates 
the administration. At line 16, process p sends the forks it has used back to its higher 
neighbours in accordance to the default fork distribution. 

To summarize, the inner protocol uses the messages req and gra, the private 
variables away, need, prom, and the ghost variables forJc. Initially, the ghost vari- 
ables fork satisfy the default fork distribution fork.q.r = \r < q\. 

2.4 Informal correctness arguments 

We postpone the full and formal proofs of correctness to Section [3] for safety, and 
to Section |4] for liveness. Here, we only give some indications. 

The proof that the inner protocol guarantees partial mutual exclusion (PMX) is 
a matter of careful fork administration. This is relatively easy. The formal treatment 
is in Section [33] 

Absence of deadlock is more complicated. There are three waiting conditions at 
the lines 12, 13, and 14 of forward, which each or in combination potentially could 
lead to deadlock. The waiting condition at line 12 is harmless, however, because it is 
just waiting for messages to arrive. The waiting condition at line 13 does not lead to 
deadlock, essentially because the process(es) waiting longest at line 13 can proceed 
to line 14. The waiting condition at line 14 does not lead to deadlock because the 
lowest process waiting at line 14 has priority. The formal treatment of deadlock is 
in Section [221 

Starvation freedom is the most complicated property. The inner protocol itself 
is not starvation free, because a lower process can claim priority over a higher 
process. Note, however, that when it does so, it will send the fork to the higher 
process in its exit protocol. The outer protocol is starvation free because it satisfies 
FCFS. When a process in the inner protocol is passed by another process, this other 
process cannot pass again because it will be blocked by the FCFS property of the 
outer protocol. As the number of processes in the inner protocol is finite, it follows 
that the combination of the protocols is starvation free. The formal treatment is in 
Section [1 

2.5 Message complexity and waiting times 

In the outer protocol, process p exchanges 3 messages (notify, withdraw, ack) with 
every neighbour. In the inner protocol, it exchanges 3 messages (req, gra, gra) with 
every higher neighbour. In total it exchanges between 3 and 6 messages with every 
neighbour. 

Component forward has 3 waiting conditions: emptiness of prio at line 13 to 
ensure FCFS, emptiness of jiecd at line 14 to ensure mutual exclusion, and emptiness 
of wack at line 12 to preclude interference of delayed messages. 

Recall from Section 11.21 that A serves as an upper bound of the time needed for 
the execution of an alternative, plus the time needed for reception of the messages 
sent. Therefore, waiting for emptiness of wack should not take more than 2A. 

When the environment of p wants to abort the entry protocol at line 14, it may 
need to wait for emptiness of the higher part of need. This waiting is also short 
because process p has priority over its higher neighbours. If F is an upper bound 
for the execution time of CS, the higher part of need is empty after F + 2A. 
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The important waiting conditions are therefore emptiness of prio at line 13 and 
emptiness of need at hne 14. The first condition is unavoidable and completely 
determined by FCFS. The waiting time for emptiness of need at line 14 depends 
on the number of conflicting processes that are concurrently in the inner protocol. 
The outer protocol guarantees that conflicting processes do not enter the inner 
protocol concurrently unless they are activated by the environment within a period 
A. If the environment often activates several conflicting processes within periods A, 
our algorithm may have performance problems. It seems likely, however, that other 
algorithms would have the same problem. 

3 Verification of Safety 

In a distributed algorithm, at any moment, many processes are able to do a step 
that modifies the global state of the system. In our view, the only way to reason 
successfully about such a system is to analyse the properties that cannot be falsified 
by any step of the system. These are the invariants. 

Formally, a predicate is called an invariant of an algorithm if it holds in all 
reachable states. A predicate J is called inductive if it holds initially and every step 
of the algorithm from a state that satisfies J results in a state that also satisfies J. 
Every inductive predicate is an invariant. Every predicate implied by an invariant 
is an invariant. 

When a predicate is inductive, this is often easily verified. In many cases, the 
proof assistant PVS is able to do it without user intervention. It always requires 
a big case distinction, because the algorithm has 16 different alternatives in the 
Figures [2 H andU 

Most invariants, however, are not inductive. Preservation of such a predicate by 
some alternatives needs the validity of other invariants in the precondition. We use 
PVS to pin down the problematic alternatives, but human intelligence is needed to 
determine the useful other invariants. 

In proofs of invariants, we therefore use the phrase "preservation of J at £i . . . £m 
follows from Ji . . . to express that every step of the algorithm with precondition 
J l\ 3\ . . . Jn has the postcondition J, and that the additional predicates J\ . . . Jn 
are only needed for the alternatives t\ . . .Im- We indicate the alternatives of Figure 
[T] by envll, envl2, envl3, envl4. The alternatives of Figure [D are indicated by 
the line numbers. The alternatives of Figure |3] in which messages are received, are 
indicated by the message names notify, withdraw, ack, req, gra. The alternatives 
3 and 7 of receive are indicated by after and prom, respectively. 

The follows from relation makes the list of invariants into a directed graph. In 
our enumerations of invariants, we traverse this graph by breadth first search. 

For all invariants postulated, the easy proof that they hold initially is left to the 
reader. We use the term invariant in a premature way. It will be justified at the end 
of the section. 

Section 13.11 contains the proof that the algorithm satisfies the invariant PMX 
of partial mutual exclusion. Section 13.21 contains the proof of absence of deadlock. 
This proof uses invariants that are verified in Section 13.31 

3.1 The proof of mutual exclusion 

In Section [^751 we saw that the mutual exclusion predicate PMX is implied by IqO, 
Iql, and Iq2. This section contains the proof that IqO, Iql, Iq2, and Iq3 of Section 
12.31 are invariants. Firstly, it is easy to verify that IqO is inductive. Predicate Iql 
is implied by the observation that there is precisely one fork on every edge, as 
expressed by the invariant: 
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Iq4: q ^ r ^ f ork.q.r + f ork.r.g + gra.g.r + gra.r.q = 1 . 

Indeed, Iq4 implies Iql because gra holds natural numbers. 
Predicate Iq2 is implied by the invariants: 

Iq5: g in {14 . . .} A r G nbh.q ^ r G nccd.q V fork.q.r > , 

Iq6: r G need.q => g at 14 A r G nbh.q . 

The invariant Iq3 is a matter ol carelul fork administration. Preservation of Iq3 
at 16, gra, and prom follows from Iq2, lq4, and the new invariants 

Iq7: fork.q.r > , 

Iq8: q G prom.r ^ q < r . 

Note that Iq7 is not superfluous, because, in the algorithm, we unconditionally 
decrement fork.q.r in the alternatives 16 and prom. On the other hand, we treat 
the message variables m.q.r as natural numbers, because they are only decremented 
when positive. 

Predicate Iq4 is inductive. Preservation of Iq5 at 13 and gra follows from IqO, 
Iq3, and Iq7. Predicate Iq6 is inductive. Preservation of Iq7 at 16, prom, and envl4 
follows from Jq2, Jq3, and Iq8. 

Preservation of Iq8 at req follows from the new invariant 

lq9: req.q.r > q < r . 

Preservation of Iq9 at 14 follows from Iq8. 

It now follows that the conjunction of the universal quantification of the "in- 
variants" introduced above is inductive. Therefore, each of them is itself invariant. 
In particular, the mutual exclusion predicate PMX is invariant. This concludes the 
proof that the algorithm satisfies PMX. 

3.2 Absence of deadlock 

We define a state to be silent when no process can do a step of forvifard or receive 
of Figures [U |3l We define a state to be in deadlock when it is silent and some 
processes are not idle (not at 11). Note that the environment need not be disabled. 
Absence of deadlock is a safety requirement which will follow from the liveness 
requirement of starvation freedom. It is useful to prove absence of deadlock first, 
however, because the ingredients of this proof are bound to enter again in the more 
complicated proof of liveness. 

For the proof of absence of deadlock, we need several additional invariants. 
Firstly, all processes are at the line numbers of the program (otherwise there are no 
steps). This amounts to the inductive invariant: 

JqO: g in {11... 16} . 

Fork requests by the lower process are remembered as promises: 

Jql: q < r A r G need.q A req.q.r = gra.r.q = => g G prom.r . 

Predicate Jql is invariant, because preservation at prom follows from Iq8. 

The following invariants are more difficult. We only claim them here, and post- 
pone the proofs to the next section. 

Any process waiting for a fork, does not have it: 

Jq2: r G need.q => fork.q.r = . 

Because of the default fork distribution, a lower process has and gets no fork unless 
it needs one: 
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Jq3: q < r A fork.q.r + gra.r.q > => q in {14 . . .} A r G iibh.q . 

When process q has sent withdraw to r, it expects an acknowledgement from r. 
It remembers this by putting r in its set wack. This is expressed in the inductive 
invariant: 

KqO: withdraw.g.r + ack.r.g + \q G after. r| = \r G wack.q\ . 

When q is in after.r and not in before.q, a notify message is in transit from q to r: 

Kql: q G after.r notify.g.r > V g € before. r . 

A binary relation R is called well-founded, if every nonempty set S has an ii- 

minimal clement, i.e., an clement q E S such that, for all q' G 5', wc have (17', q) ^ R. 

We now claim the invariant that the relation Prio = {{q,r) \ q G prio.r} on the 
processes is always well-founded: 

LqO: well-founded{Prio) . 

We also need: 

Lql: q G prio.r A vlthdr av.q.r = q in {13 . . .} . 

Under assumption of those invariants, we can prove: 
Theorem 1. The system is deadlock free. 

Proof. Assume that the state is silent. The idle processes are those at 11. Because 
of JqO, the nonidle processes are at line 12 waiting for emptiness of wack, at line 13 
waiting for emptiness of prio, or at line 14 waiting for emptiness of need. We have 
to prove that all processes are idle. 

Because the state is silent, there are no messages req, gra, notify, withdraw, 
and ack. By Iq4, it follows that fork.r.q = 1 — fork.q.r for all pairs q^ r. By Kql, 
the set after.r is a subset of before.r for all r. As the alternative after is disabled 
for all r, it follows that after.r is empty for all processes r. By KqO, it follows that 
wack.q is empty for all processes q. In particular, no process is disabled at line 12, 
and all processes are at the lines 11, 13, and 14. 

First assume that there are processes at 14. Let p be the lowest process at 14. As 
p is disabled at line 14, the set nccd.p is nonempty, say q € need.p. By Jq2, we have 
fork.p.q = and hence fork.q.p — 1. li q < p, then q is at 11 or 13, contradicting 
Jq3. Therefore p < qhy Iq6 and JqO. As there are no req or gra messages in transit, 
it follows that p G prom.q by Jql. By Iq3, we have p ^ away.q. As the alternative 
prom is disabled, it follows that pc.q > 15, a contradiction. This proves that there 
are no processes at 14. 

We thus have that all disabled processes are at 13. Let S be the set of processes 
at 13. If S is empty, we are done. Therefore, assume that S is nonempty. By LqO, 
the set S has a Prio-minimal element, say p. As p is disabled at 13, the set prio.p 
is nonempty, say q G prio.p. As there are no withdraw messages, the invariant Lql 
implies that g is in {13 . . .}. As all processes are at 11 or 13, this implies that q G S 
and {q,p) G Prio, contradicting the minimality of p. Consequently, there are also 
no processes at 13. □ 

3.3 Invariants against deadlock 

In this section we prove the invariants Jq2, JqS, KqO, Kql, LqO, Lql, postulated 
in the previous section. In the course of this proof we need to postulate and prove 
several other invariants. The reader may prefer not to verify these proofs, because 
we obtained and verified them interactively with the proof assistant PVS. What is 
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relevant is to see the kind of assertions that can be made and their logical relation- 
ships. 

Preservation of Jq2 at 13, 16 and prom follows from Iq2, Iq3, Iq4, Iq7, Iq8, and 
Jq3. Preservation of Jq3 follows at 16, prom, envl4 from Iq4, Iq6, Iq7, and the 
invariant 

Jq4: q G prom.r r € need.q A req.g'.r = gra.r.g = . 

Preservation of Jq4 at 13, 16, req, envl4 follows from Iq6, Iq8, Jq5 and the invari- 
ants 

Jq5: leq.q.r > r € need.q A gra.r.g = , 
Jq6: req.g.r < 1 . 

Preservation of Jq5 at 13, 16, prom, envl4 follows from Iq6, Iq7, Iq9, Jq3, and Jq4. 
Preservation of Jq6 at 13 follows from Iq6 and Jq5. Note that Jq4 together with 
Iq8 imply that the implication in Jql can be replaced by an equivalence. 

Preservation of KqO at 14, envl3, envl4 follows from the inductive invariant 

Kq2: q in {13, 14} wack.q = . 

Preservation of Kql at withdraw follows from the invariant 

Kq3: withdraw.g'.r > A notify.?. r = => q G behre.r . 

Preservation of Kq3 at 14, envl3, envl4, and after follows from KqO and the 
new invariant 

Kq4: gin {13, 14} A r € nbh.q A notify. g.r = =J> q £ before. r . 

Preservation of Kq4 at after follows from KqO and Kq2. 
In order to prove Lql , we postulate the new invariant 

Kq5: q G before.r \ after. r A withdraw.g.r = 
g in {13, 14} A r G nbh.q . 

Preservation of Kq5 at notify follows from the new invariant: 

Kq6: notif y.g.r > A q ^ after. r A withdraw.g.r = 

=4> g in {13, 14} A r G nbh.q . 

Preservation of Kq6 at 14, envl3, envl4, after follows from KqO and the new 
invariant 

Kq7: q G before.r notif y.g.r = . 

Preservation of Kq7 at 12 and notify follows from KqO, Kq5, and the new invariant: 
Kq8: notify.g.r < 1 . 

Preservation of Kq8 at 12 follows from KqO and Kq6. 

We turn to preservation of LqO. Recall that, for a relation R and a sot S, an 
element s is called i?-minimal in S iff it satisfies s G S*, and (s',s) ^ R for all 
elements s' G S. Relation R is called well-founded iff every nonempty set S has an 
ii- minimal element. LqO asserts that the relation Prio, which consists of the pairs 
{q, r) with q G prio.r, is well-founded. 

It is easy to verify that, if i? is a well-founded relation, every subrelation R' C R 
is also well-founded. Therefore, LqO is preserved by the modifications of prio in 
withdraw and envlS, as these remove elements from Prio. 

Preservation of LqO at 12 follows from IqO, KqO, and Lql. This is proved as 
follows. Assume that process p executes line 12. Let us use Prio for relation Prio 
in the precondition, and Prio^ for relation Prio in the postcondition of this step. 
Assume that LqO holds in the precondition. Therefore, relation Prio is well-founded. 
It is easy to see that 
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(0) Prio+ C Prio U {{q,p) \ q £ nbh.p} . 

Let S he a nonempty set of processes. First, assume that S' = S \ {p} is 
nonempty. Therefore, S' has a Prio-minimal element r G S". Because p executes 
hue 12, the set wack.p is empty. Therefore KqO impUes withdraw.p.r — 0, and Lql 
impUes p ^ prio.r. Therefore r is also Prio-minimal in S. It follows that r is Pno~^- 
minimal in S because oi r ^ p and formula ((D]). It remains the case that S \ {p} 
is empty. Then we have S — {p}. It follows that p is a Prio-minimal element of S 
and, hence, a Prio~''-minimal element of S because of IqO. 

In either case, the set 5* contains a Prio'''-mimimal element. This proves that 
Prio^ is well-founded. Therefore LqO is preserved by the step of line 12. 

Predicate Lql is implied by the conjunction of Kq5 and the new invariant: 

Lq2: prio.q C before. q \ after. q . 

Predicate Lq2 is inductive. This concludes the proofs of the invariants against dead- 
lock. 

Remarks. Apart from LqO, all these invariants concern at most two processes. It 
is therefore possible to verify them by model checking. Such a system with two 
processes would not have too many states. The proofs of LqO and of absence of 
deadlock, however, do require theorem proving. 

The invariants of the lists Jq*, Jq* relate to the inner protocol. The invariants of 
the lists Kq*, Lq* are exclusively related to the outer protocol. The only invariant 
for both protocols is IqO. 

4 Liveness 

The aim of this section is to show that the algorithm satisfies two liveness properties: 
starvation freedom and maximal concurrency. 

Starvation freedom means that every process that needs to enter CS and does 
not abort, will eventually enter CS and come back to the idle state. This can only 
be proved when all processes make progress under weak fairness. 

Maximal concurrency means that, even without global weak fairness conditions, 
when process p itself makes progress under weak fairness and all processes answer 
messages from p, then whenever process p needs to enter CS and does not abort, 
it will eventually enter CS and come back to the idle state, unless it is, from some 
moment onward, eternally in conflict with some other process. The latter case is 
not deadlock, because the other process is not locked but only fails to do steps as 
it is not subject to fairness conditions. 

Weak fairness is introduced in Section 14.11 We formalize executions as state 
sequences in Section IT2l Section l4?3l contains the formal definitions of weak fairness 
and the statements of starvation freedom and maximal concurrency. 

The proofs of these two results are distributed over several subsections. In Sec- 
tion 2131 we introduce two more invariants and show that all message channels are 
infinitely often empty. In Section 14.51 we build the machinery to reduce the proof 
obligations to progress at the lines 12, 13, and 14. The Sections 14. 6[ 14. 7[ 14.81 treat 
these lines. Section l4!9l concludes the proofs of the two theorems. 

4.1 Weak fairness 

First, however, weak fairness needs an explanation. Roughly speaking, a system is 
called weakly fair if, whenever some process from some point onward always can 
do a step, it will do the step. Yet if a process is idle, it must not be forced to be 
interested in CS. Similarly, if a process is waiting a long time in the entry protocol. 
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we do not want it to be forced to abort the entry protocol. We therefore do not 
enforce the environment to do steps. We thus exclude the environment from the 
weak fairness conditions. 

We impose the following weak-fairness conditions. For any process p, if from 
some time onward p can continuously do a forward step, it will do the forward 
step. If, from some time onward, it can continuously receive a message m from some 
process g, it will receive m from q. 

Formally, we do not argue about the fairness of systems, but characterize the 
executions they can perform. Recall that an execution is an infinite sequence of 
states that starts in an initial state and for which every pair of subsequent states 
satisfies the step relation. An execution is called weakly fair iff, for every process 
p, whenever p can, from some state onward, always do a forward step or receive a 
message m from q, it will eventually do the step or receive message m from q. 

We also need that, when one of the alternatives after or prom of receive(g,p) is 
from some time onward continuously enabled, this alternative is eventually taken. In 
the following, we therefore treat these alternatives as if they correspond to messages 
m = after or prom from q to p. 

4.2 Formalization 

We formalize the setting in a set-theoretic version of (linear time) temporal logic. 
Let X be the state space. We identify the set X'^ of the infinite sequences of states 
with the set of functions N — )> X. For a state sequence xs G X" and n G N, we 
occasionally refer to xs{n) as the state a time n. For a programming variable v, we 
write xs{n).v for the value of v in state xs{n). 

For a subset U C X,we define | [/ ] C X" as the set of infinite sequences xs with 
xs(0) G U. For a relation A C X^, we define | C X" as the set of sequences xs 
with (xs(0),xs(0)) G A. 

For xs G X" and fc G N, we define the shifted sequence D{k, xs) by D{k, xs){n) = 
xs(k + n). For a subset P C X'^ we define DP [always P) and OP {eventually P) 
as the subsets of X'^ given by 

xseaP = (V fc G N : D{k, xs) G P) , 
xs G OP = (3 fc G N : D{k, xs) G P) . 

We now apply this to the algorithm. We write init C X for the set of initial states 
and step C X^ for the step relation on X. Following [T], we use the convention that 
relation step is refiexive (contains the identity relation). An execution is an infinite 
sequence of states that starts in an initial state and in which each subsequent pair 
of states is connected by a step. The set of executions of the algorithm is therefore 

Ex = I init] n □ I step I2 . 

If J is an invariant of the system, it holds in all states of every execution. We 
therefore have Ex C □ J. 

For our algorithm, the step relation step C X^ is the union of the identity 
relation on X (because step should be refiexive) with the relations step{p) that 
consists of the state pairs (x, y) where y is a state obtained when process p does a 
step starting in x. The steps that process p can do are summarized in 

step{p) = env(p) U fwd(p) U Ug,,„rec(m, (7,p) , 

where env{p) consists of the steps of environ(p), fwd(p) consists of the steps of 
forward(p), and iec{m, q,p) consists of the steps where p receives message m from 
q in receive. Note that we take the union here over all processes q and all seven 
alternatives m of receive (including after and prom). 
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We define {q at k) to be the subset of X of the states in which process q is at 
line k. An execution in which process q is always eventually at NCS, is therefore 
an element of DOlg at 11]. The aim is to prove that all executions we need to 
consider are elements of this set. 

Remark. Note the difference between nOlJ/] and On|J7]. In general, nOl?/] is 
a bigger set (a weaker condition) than On|t/]. The first set contains all sequences 
that are infinitely often in U, the second set contains the sequences that are from 
some point onward eternally in U. □ 

4.3 Liveness under weak fairness 

For a relation R C X^, we define the disabled set D{R) = {x \ V y : {x,y) ^ R}. 
Now weak fairness llj for R is defined as the set of state sequences in which R is 
disabled infinitely often or is taken infinitely often: 

wf{R) = □o|i5(i?)]uno|i?]2 . 

For a single process p, weak fairness for the steps of forward(p) is the property 
wf{fwd(j))). 

Our algorithm needs the property that every message, say m in transit from 
q to r, is eventually received. The set w{{rec{m,q,r)) contains precisely the state 
sequences that satisfy this condition. This also applies to m = after and prom. 

For some purposes, we need the assumptions of weak fairness for the steps of a 
single process p and for all messages with p as destination or source. We thus define 
the set of executions weakly fair for p by 

Wf{p) = Ex (1 wf{fwd{p)) nf]^ ^{wf{rec{m,q,p)) n wf{rec{m,p,q))) . 

The set of (globally) weakly fair executions is defined by messages, as captured in 

WF = Ex n f]p w{{fwd{p)) n rip.g,™ wf (rec(m, q,p)) . 

We can now formulate our two liveness results. Starvation freedom means that 
every process p in every weakly fair execution is always eventually back at NCS 
(i.e. at line 11). This is expressed by 

Theorem 2. WF C DOlp at 11] for every process p . 

Maximal concurrency means that every process p that needs to enter CS and 
does not abort, will eventually enter CS, provided it satisfies weak fairness itself, 
all other processes receive and answer messages from p, and no process comes in an 
eternal conflict with p. Let us define p ix: g to mean that p and q are in conflict, i.e., 
q G nbh.p A p £ nbh.q. Then maximal concurrency is expressed by 

Theorem 3. Wf{p) C DOlp at 11 ] U IJg ^I^Ip ^ q] for every process p. 

The remander of this section is devoted to the proofs of these two theorems. 
These proofs have a signiflcant overlap. On the other hand, the proof of Theorem 
[2] has similarities with the proof of absence of deadlock (Theorem [T] in Section [3?2|) . 

4.4 Empty channels 

At this point, we postulate two additional invariants: 
MqO: gra.q.q = , 

Mql: r G prio.q => q at 13 A r G nbh.q . 
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Predicate MqO is preserved at 16 and req because of Iq9 and Iq8. Predicate Mql 
is inductive. 

We now claim that m.q.r < 1 always holds for all five message types m and all 
processes q and r. For req, notify, withdraw, ack, this follows from Jq6, Kq8, and 
KqO. For gra, it follows from Iq4, Iq7, and MqO. 

As every state in every execution satisfies all invariants, and the reception of 
message m from q by r decrements m.q.r, it follows that we have 

(1) Exnwf{rec{m,q,r)) C aOlm.q.r 0] . 

In words, every message channel is infinitely often empty. 

One can do similar assertions about the alternatives after and prom, but this 
is not useful. 

4.5 Treating the loop 

We use the leads-to relation between state predicates of |3]. A predicate U is said 
to lead to V if it is always the case that if U holds, then eventually V holds. This 
is formalized as follows. For subsets U and of A", the set of state sequences in 
which U leads to V is defined by 

LT{U,V) = U{^{U\yjO{V\) . 

Our specific algorithm is a simple loop with the property that, in any execution, 
if some process p does not get stuck at a line fc, it will eventually proceed to line 
fc + 1 or to 11. 

We need to prove that a process reaches 11 from a combination of lines. We 
therefore define 

toIdle{k,p) = LT{p in {k . . .},p at 11) . 

The relevance of this concept follows from the inclusion: 

(2) Exn toJdJe(12,p) C DOlp at 11] . 

This holds because, in any execution that belongs to toIdle{12,p), if at some time 
p is not at 11, then p is in {12 . . .} by JqO, and therefore p will return to 11. 

On the other hand, in any execution, process p is never in {17 . . .} by JqO. We 
therefore have 

(3) Ex C toIdle{17,p) . 

The aim is thus to decrement the first argument of toldle. This is done with the 
relation 

(4) Ex n toIdle{k + l,p) C toIdle{k,p) U Oa|p at kj . 

This formula just means that, in any execution, a process p that is ever at line fc, 
but from that time onward never at line llorin{fc + l...}, needs to remain at fc. 

As a process is never disabled at the lines 15 or 16, weak fairness implies that 
it never stays there, i.e., we have 

Ex n wf{fwd{p)) n On|p at fcl = for fc = 15, 16. 

Therefore, the formulas Q and Q imply that 

(5) Ex n wf{fwd{p)) C toIdle{15,p) . 

It remains to eliminate the executions in On|p at fc] for fc = 12, 13, and 14. This 
is done in the next three sections. 
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4.6 Progress at line 12 

Consider an execution xs € On|p at 12]. From some time hq onward, process p is 
and remains at line 12. Therefore, weak fairness of fwd(p) implies that it is infinitely 
often disabled. It is disabled iff the set wack.p is nonempty. While p is at line 12, 
the finite set wack.p can only become smaller. It therefore is eventually constant 
and nonempty. So, there is a process q such that, from time uq onward, q e wack.p 
always holds. 

Assume that ack.g.p > holds at some time ni > hq. Then, by formula ([1]), 
there is a time n > ni such that ack.g.p = 0; therefore the ack message is received 
and q S wack.p is falsified. This proves that ack.q.p = holds at any time n > uq. 

By formula ([l]), there is a time ni > no such that withdraw.p.g = 0. By KqO, 
we then have p € after. q. This can only be falsified by the alternative after, 
which sends a message ack.g.p. We therefore have that p G after. q holds at all time 
n > ni. By formula ([T]), there is a time n2 > ni such that notify.p.g = and hence 
p G before. q by Kql . This can only be falsified by the alternative after which sends 
a message ack.g.p. We therefore have that p G be fore. q holds at all time n > n2. 
Therefore, the alternative after is eternally enabled from time n2 onward. By weak 
fairness it will be taken, thus falsifying p G before.q. This is a contradiction. 

We have derived this contradiction using weak fairness of fwd{p), and of rec{m, p, q) 
and rec(m, q,p) for all q and some m. We therefore have proved that 

(6) Wfip)r\Oa[p at 12] = . 

4.7 Progress at line 13 

We now want to exclude the possibility that in some execution some process is 
eventually always at line 13. For an execution xs and a time n G N, let S{n, xs) be 
the set of processes that, in xs, from time n onward, is always at 13. The invariant 
LqO in the state xs{n) implies: 

(7) xs G Ex A S{n,xs) ^ 

3 p G S{n,xs) : S{n,xs) n xs{n).prio.p — . 

Let p G S{n,xs). From time n onward, process p is and remains at line 13. By 
weak fairness of fwd{p), process p it is infinitely often disabled. As it is at line 13, 
process p is disabled iff the set prio.p is nonempty. While p is at line 13, the finite set 
prio.p can only become smaller. It therefore is eventually constant and nonempty. 
So, there is a process q such that from time n onward, q G prio.p always holds. It 
follows that, from time n onward, process p does not receive withdraw from q. By 
weak fairness of rec(withdraw, (7,p), it follows that withdraw.g.p = holds from 
time n onward. We thus have proved: 

(8) xs G Ex A p G S{n,xs) A xs G Wf(p) 

=^ 3 q :\f i : q E xs{n + i). prio.p A xs(n + z).withdraw.(7.p = . 

At this point, we note that the invariants Kq5, Lq2, and Mql together imply: 

(9) q G prio.p A withdraw.g.p = grin {13,14} A p Cxi g . 
Therefore, formula ^ implies 

(10) Wf(p) non|p at 13] C U^On|pMg] . 

For the sake of starvation freedom, we combine ([7]) and ^ to 



(11) WFnOn|r at 13] C U,On|g at 14] 
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This formula is proved as follows. Let xs be in the lefthand set. Then there is 
a number n such that S{n,xs) is nonempty. Formula ([7]) gives some process p £ 
S{n,xs) with prio.p disjoint from S{n,xs). As WF C Wf{p), the formulas ([8]) and 
([9]) yield a process q that is and remains in prio.p and that is and remains in {13, 14}. 
As q ^ S{n,xs), at follows that q is eventually always at 14. 

4.8 Progress at line 14 

Let xs be an execution in On|p at 14]. Process p waits at line 14 for emptiness of 
need. This condition belongs to the inner protocol. The inner protocol in isolation, 
however, is not starvation free because it would allow a lower process repeatedly 
to claim priority over p by sending reqs. We need the FCFS property of the outer 
protocol to preclude this. Technically, the problem is that need.p can grow at line 
14 in the alternative prom. 

Partly, in order to prove that eventually the truth value of g G need.p is constant, 
we construct a numeric state function vf{q,p) > that, for q £ nbh.p, eventually 
never increases and therefore stabilizes to a constant value, and that it is only 
constant when the truth value of q G need.p is also constant. We construct vf as 
the weighted sum of three bit-valued state functions: 

vf{q,p) = vfO{q,p) + 2 • vfl{q,p) + 4 • vf2{q,p) where 
vfO{q,p) = I 9 e need.p \ , 

vfl{q,p) = I fork.q.p + gra.p.g = A q < p \ , 
vf2{q,p) = \ q in {13 . . .} A p E nbh.q A p ^ prio.q \ . 

Indeed, when process p is and remains at line 14, its neighbourhood nbh.p is con- 
stant. For any q S nbh.p, we have eventually notify.p.g = by formula ([T]). This 
remains valid because p at 14 does not send notify. By Kq4, we therefore have 
eventually always p S be fore. q. 

We claim that, while p is at line 14 and p G before. q holds, vf(q,p) never in- 
creases. This is proved as follows. At line 12, vf2{q,p) does not increase because 
of KqO and Kq2. The same holds for withdraw. At line 16, vfl{q,p) can be incre- 
mented, but this is compensated by decrementation of vf2{q,p) because of Mql. 
The difficult alternative is prom, because it can increment vfO{q,p) by adding q to 
need.p. In that case, Iq8 implies q < p. Therefore, vfl(q,p) is decremented because 
of Iq3, Iq4, and Iq7. This proves the claim. 

It follows that, if process p is and remains at line 14, eventually vf{q,p) becomes 
constant. When vf{q,p) is constant, q E need.p is also constant because q € need.p 
holds if and only if vf{q,p) is odd. This proves that, eventually, the truth value of 
q G need.p becomes constant. 

As need.p is always a subset of the finite set nbh.p, which is constant while p is 
at line 14, we can now conclude that eventually need.p is constant. If this constant 
would be the empty set, process p would be eventually always enabled, and by weak 
fairness, process p would leave line 14. Therefore, there is some process q eventually 
always in need.p. We have q ^ p because of IqO and Iq6. This proves 

(12) Wf{p) n On|p at 14] C U,^p On|g e need.pj . 

We now distinguish the cases q < p and p < q. For the first case, we claim: 

(13) q<P ^ Wf [p)C^OUlqE need. pl<ZOU[q in {lA...} hp e nbh.q} . 

This is proved as follows. Firstly, q e need.p implies fork.p.q = by Jq2. By ([1]) we 
have infinitely often gra.q.p = 0. Therefore, Jq3 and Iq4 imply that the conjunction 
q in {14 . . .} A p G nbh.q holds infinitely often. 
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When process q leaves {14...} by executing line 16 or envl4, it decrements 
vf2{q,p) because of Mql; it therefore also decrements vf{q,p) (even if vfl{q,p) 
increases). As vf{q,p) is eventually constant, it follows that eventually q remains in 
{14 . . .} and therefore p remains in nbh.q. This proves (|13|). 

For the second case, we claim: 

(14) P<q^ Wf (p) n C'Dlq e nccd.p j C ODlq in {15.. .} Ap e nbh.qj . 

This is proved as follows. The fact that q remains in need.p together with Iq6 and 
formula ([T|) are used to prove that eventually always req.p.g = 0, and gra.q.p — 0, 
and gra.p.q — 0. This implies eventually always p G prom.q by Jql , and p ^ away.q 
by Jq2, Iq3, and Iq4. Yet, the alternative prom is not taken anymore. Therefore, 
weak fairness implies that q in {15 . . .} A p G nbh.q holds infinitely often. Again 
using that vf{q,p) is eventually constant, we get that process q eventually remains 
in {15 . . .} and that p remains in nbh.q. This proves (jl4p . 

As g S need.p implies q G nbh.p by Iq6, the formulas ([T^ . (IT^ . ([H]) combine 
to yield 

(15) Wf(p) nODlp at 14] C U^On|pcx]gl . 

With regard to starvation freedom, we use the formulas (|T2|) . (fT3)) . to prove 

(16) WFnOn|r at 14] = . 

This is done by contradiction. Assume that xs is an element of the lefthand expres- 
sion. Let p be the lowest process with xs G On|p at 14 1. Formula (IT^ gives us a 
process q ^ p with xs G On|(7 G need.p]. By ([5]), we have 

(17) xs G toJdte(15, q) . 

Ifq < p, formula (fTS]) gives xs G On|g in {14 . . .} |. Together with ([TT]) . this implies 
xs G on I (7 at 14], contradicting the minimality of p. li p < q, formula gives 
xs G On|(7 in {15 ...}], which contradicts pT|) . This concludes the proof of (|T6)) . 

4.9 End of proofs 

Theorem [2] follows from the formulas ([2]) and ([5]) by repeated application of (HJ with 
(ED, (HJ), (HH). 

Similarly, Theorem [3] follows from the formulas ^ and (O by repeated applica- 
tion of Q with (©, (dni), (HSI). 

5 Sketch of the PVS verification 

The reader who is familiar with PVS can obtain the dump of the proof script from 
our website [J- The proof consists of 183 lemmas that can be verified within three 
minutes on an ordinary laptop. 

For the reader who is not familiar with proof assistants, we give some indications 
here how we used the proof assistant PVS. 

The first thing to do is to declare the state space of the algorithm. This is done 
by means of the declarations: 

Process: TYPE FROM nat 

state: TYPE = [# 

fork: [Process -> [Process -> int]], 

req, gra, notify, withdraw, ack: [Process -> [Process -> nat]], 
pc: [Process -> nat], 

nbh, need, prom, away, wack, before, prio, after: 
[Process -> finite_set [Process] ] 

#] 
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The first line says tliat Process is an unspecified subset of N. The second line 
declares state as a record with the program variables as fields. 

In order to inform PVS of the types of the free variables that we are going to 
use, we declare 

p, q, r: VAR Process 
X, y: VAR state 

The next point is to define the step relation of the transition system according 
to Figures [T] [2l [31 We construct it as the union of separate relations for each of 
the 16 alternatives. As an example, the state modification at line 12 of forward is 
given by 

nextl2(p, x) : state = 
x WITH [ 

'notify(p) := LAMBDA q: x'notif y (p) (q) + b2n(x'nbh(p) (q) ) , 
'prio(p) := {q I x'nbh(p)(q) AND x'bef ore(p) (q) 
AND NOT X ' after (p) (q)>, 

'pc(p) := 13 

] 

Here x'nbh(p) (q) means q £ nbh.p in state x, and b2n is the function that converts 
a Boolean to a bit. The corresponding step relation is: 

stepl2(p, X, y) : bool = 

x'pc(p) = 12 AND y = next 12 (p, x) AND empty? (x ' wack (p) ) 

When the step relation has been constructed, wc turn to the construction and 
the verification of the invariants. This is a major effort. One of the simpler cases is 
Iq8. 

iq8(q, r, x) : bool = 

x'prom(r) (q) IMPLIES q < r 

iq8_rest: LEMMA 

iq8(q, r, x) AND step(p, x, y) 

IMPLIES iq8(q, r, y) OR stepReqCp, x, y) 

iq8_Req: LEMMA 

iq8(q, r, x) AND stepReq(p, x, y) AND iq9(q, r, x) 
IMPLIES iq8(q, r, y) 

iq8_step: LEMMA 

iq8(q, r, x) AND step(p, x, y) AND iq9(q, r, x) 
IMPLIES iq8(q, r, y) 

This shows that preservation of Iq8 only needs Iq9 at the alternative req. When 
all invariants separately have been constructed, we form the conjunction globinv 
of the universal quantifications of them and prove that globinv is inductive: 

globinv_step : LEMMA 

globinv(x) AND stepCp, x, y) 
IMPLIES globinv (y) 

globinv_start : LEMMA 

start (x) IMPLIES globinv(x) 



We formalize state sequences, executions, and weak fairness just as described in 
Section m For instance, function wf of Section l473l is given by 
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weakly_f air (rel) (xs) : bool = 

box (diemiondC semi (disabled (rel) ) ) ) (xs) 
OR box(diajnond(sem2(rel) ) ) (xs) 

Filially, Theorem [2] is given by 

liveness: THEOREM 7o starvation freedom 
weakly_f air_all (xs) AND execution(xs) 
IMPLIES box(diamond(seml(at(ll, p))))(xs) 

6 Conclusions 

The acyclicity invariant introduced by Chandy and Misra for their drinking philoso- 
phers [3], was not necessary for liveness, and it was problematic for the message 
complexity and memory requirements. In our solution, we abandon the acyclicity 
invariant. We also break the symmetry, in two ways. Firstly by giving higher priority 
to the lower processes. Secondly by using an asymmetric default fork distribution, 
in which the higher processes are better off in the sense that they need not request 
forks. 

Originally, we had a weaker outer protocol that only added starvation freedom 
to the inner protocol, and the inner protocol used the low default fork distribution 
with fork.q.r = \q < r\. When we had completed its proof, we disliked the order 
in which processes could enter CS. We therefore investigated the high default, and 
postulated the FCFS property. It came as a surprise to us that this resulted in a 
somewhat simpler algorithm. 

The design of the algorithm was only possible, because we could use the proof 
assistant PVS [2] to verify the invariants and the progress requirements. We could 
fruitfully reuse parts of the PVS-proof of the earlier algorithms in the proof of the 
final algorithm. 

We hope that the algorithm or variations of it can be used in the design of 
practical resource allocation algorithms. Indeed, when the processes compete for 
several resources, Chandy and Misra [5] suggest to use coloured bottles (forks) with 
a colour for every resource. This can also be done in our algorithm. There should, 
however, be some relationship between the resources in the application and the 
neighbourhoods in our model, and this relationship should be exploited for better 
performance in the presence of many processes. For applications on the internet, 
one would need to extend the algorithm with fault tolerance. These extensions are 
matters for future research. 
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